Total
998 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20153 | 1 Determine | 1 Contract Lifecycle Management | 2020-01-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) in v5.4. An XML external entity (XXE) vulnerability in the upload definition feature in definition_upload_attach.jsp allows authenticated remote attackers to read arbitrary files (including configuration files containing administrative credentials). | |||||
| CVE-2019-15983 | 1 Cisco | 1 Data Center Network Manager | 2020-01-08 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the SOAP API of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. To exploit this vulnerability, an attacker would need administrative privileges on the DCNM application. The vulnerability exists because the SOAP API improperly handles XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by inserting malicious XML content in an API request. A successful exploit could allow the attacker to read arbitrary files from the affected device. Note: The severity of this vulnerability is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. | |||||
| CVE-2019-19998 | 1 Xiuno | 1 Xiunobbs | 2020-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token.php. | |||||
| CVE-2012-2656 | 1 Talend | 1 Restlet | 2019-12-23 | 5.0 MEDIUM | 7.5 HIGH |
| An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endpoint using XML transport, which lets a remote attacker obtain sensitive information. | |||||
| CVE-2019-11216 | 1 Bmc | 1 Remedy Smart Reporting | 2019-12-13 | 5.5 MEDIUM | 6.5 MEDIUM |
| BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed. | |||||
| CVE-2019-14678 | 6 Hp, Ibm, Linux and 3 more | 15 Hp-ux, Aix, Z\/os and 12 more | 2019-11-22 | 7.5 HIGH | 10.0 CRITICAL |
| SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used. | |||||
| CVE-2018-20687 | 1 Raritan | 1 Commandcenter Secure Gateway | 2019-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. | |||||
| CVE-2014-3599 | 1 Redhat | 1 Hornetq | 2019-11-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy | |||||
| CVE-2019-9757 | 1 Labkey | 1 Labkey Server | 2019-11-01 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read. | |||||
| CVE-2017-15725 | 1 Devada | 1 Dzone Answerhub | 2019-10-31 | 5.0 MEDIUM | 7.5 HIGH |
| An XML External Entity Injection vulnerability exists in Dzone AnswerHub. | |||||
| CVE-2019-8087 | 1 Adobe | 1 Experience Manager | 2019-10-28 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2019-8086 | 1 Adobe | 1 Experience Manager | 2019-10-28 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2019-8082 | 1 Adobe | 1 Experience Manager | 2019-10-28 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2018-1000828 | 1 Frostwire | 1 Frostwire | 2019-10-24 | 6.8 MEDIUM | 9.0 CRITICAL |
| FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the middle the call to update the software. | |||||
| CVE-2019-1060 | 1 Microsoft | 6 Windows 10, Windows 8.1, Windows Rt 8.1 and 3 more | 2019-10-11 | 9.3 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. | |||||
| CVE-2016-7051 | 1 Fasterxml | 1 Jackson-dataformat-xml | 2019-10-10 | 5.0 MEDIUM | 8.6 HIGH |
| XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD. | |||||
| CVE-2019-3722 | 1 Dell | 1 Emc Openmanage Server Administrator | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request. | |||||
| CVE-2019-1903 | 1 Cisco | 1 Security Manager | 2019-10-09 | 6.4 MEDIUM | 9.1 CRITICAL |
| A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by sending malicious requests to a targeted system that contain references within XML entities. An exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a DoS condition. | |||||
| CVE-2019-1698 | 1 Cisco | 1 Iot Field Network Director | 2019-10-09 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by importing a crafted XML file with malicious entries, which could allow the attacker to read files within the affected application. Versions prior to 4.4(0.26) are affected. | |||||
| CVE-2019-14693 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2019-10-09 | 5.5 MEDIUM | 8.1 HIGH |
| Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||